Wary of cyber security laws, UK eyes softly-softly approach

LONDON (Reuters) - Britain will try to get companies to beef up cyber security by encouraging investors and shareholders to hold them to account on the issue, but will reject U.S.-style mandatory reporting of online attacks, government officials say.

Britain has made tackling the theft of intellectual property on the Internet and the protection of critical infrastructure from hostile cyber assault top national security issues, setting aside 650 million pounds over four years to address the problems.

More than nine in 10 British companies have suffered a cyber breach in the past year and intellectual property is being stolen on an "industrial scale", government officials said in a briefing ahead of a government update on Monday on its year-old cyber security strategy.

But despite the fact that more and more trade secrets are being purloined via the Internet, officials said they favoured a softly-softly approach.

That would involve professional auditing and governance bodies and shareholders and analysts pressuring company directors to explain what they were doing to thwart cyber threats, they said.

"The government does want to see more disclosures. But we don't think the right way of approaching that is to pass laws to force people to do it in those areas where they are not already obliged," one official said on condition of anonymity because of the sensitivity of security issues.

"Rather than forcing companies to disclose it, we think it is best to encourage analysts, investors, shareholders, insurers, to ask for that information," he said.

"A PERVERSE INCENTIVE"

Unlike their U.S. peers, British companies aren't required to report cyber attacks, an obligation that supporters of such legislation believe keeps directors on their toes and helps ensure cyber defences are up to scratch because of the fear of reputational damage.

However, Britain believes obligatory reporting risks having the opposite effect and becoming a "perverse incentive" that would prompt directors to actually turn a blind eye to online breaches in order to escape unwanted publicity.

Even when companies did reveal such attacks, company directors would be likely to say as little as possible about such incidents, the official said.

Mandatory reporting "would be positively harmful from the point of view of getting people to share information," he said.

In a related move, the government said on Monday it would extend a pilot scheme under which 160 firms in the defence, finance, pharmaceuticals, energy and telecommunications sectors shared information about cyber attacks confidentially.

Alan Calder, head of British cyber consultancy IT Governance, questioned the government's approach, saying the U.S. model of mandatory reporting was a good discipline for directors.

"Being forced to disclose information would be a very good thing, it would put a lot of pressure on companies," he said.